{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver Enterprise Portal", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.10"}, {"status": "affected", "version": "< 7.11"}, {"status": "affected", "version": "< 7.20"}, {"status": "affected", "version": "< 7.30"}, {"status": "affected", "version": "< 7.31"}, {"status": "affected", "version": "< 7.40"}, {"status": "affected", "version": "< 7.50"}]}], "descriptions": [{"lang": "en", "value": "The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-27T16:06:10", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/3074844"}, {"name": "20220126 Onapsis Security Advisory 2021-0023: SAP Enterprise Portal - SSRF iviewCatcherEditor", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2022/Jan/72"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2021-33705", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver Enterprise Portal", "version": {"version_data": [{"version_name": "<", "version_value": "7.10"}, {"version_name": "<", "version_value": "7.11"}, {"version_name": "<", "version_value": "7.20"}, {"version_name": "<", "version_value": "7.30"}, {"version_name": "<", "version_value": "7.31"}, {"version_name": "<", "version_value": "7.40"}, {"version_name": "<", "version_value": "7.50"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability."}]}, "impact": {"cvss": {"baseScore": "8.1", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918: Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"}, {"name": "https://launchpad.support.sap.com/#/notes/3074844", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/3074844"}, {"name": "20220126 Onapsis Security Advisory 2021-0023: SAP Enterprise Portal - SSRF iviewCatcherEditor", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2022/Jan/72"}, {"name": "http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:58:22.822Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/3074844"}, {"name": "20220126 Onapsis Security Advisory 2021-0023: SAP Enterprise Portal - SSRF iviewCatcherEditor", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2022/Jan/72"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2021-33705", "datePublished": "2021-09-15T18:01:52", "dateReserved": "2021-05-28T00:00:00", "dateUpdated": "2024-08-03T23:58:22.822Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_portal:7.10:*:*:*:*:*:*:*", "matchCriteriaId": "44A9A096-82EC-4C2B-B60D-BF1BBB32C8AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_portal:7.11:*:*:*:*:*:*:*", "matchCriteriaId": "58ABB418-29D0-4531-BE39-A40C1B5D5591", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_portal:7.20:*:*:*:*:*:*:*", "matchCriteriaId": "F0A2C70F-5512-4DBA-9E2C-412C5610739D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_portal:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "4BAAD549-2E08-4A1C-935A-564C53A267D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_portal:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "B2E5FF0C-4C65-4F54-8C85-70D6BBA40F71", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_portal:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "85F5CD30-04BD-486A-BAE1-DB99FDE89242", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_portal:7.50:*:*:*:*:*:*:*", "matchCriteriaId": "36B6A5F2-7449-4737-A792-5C17162236A0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability."}, {"lang": "es", "value": "El componente Iviews Editor del SAP NetWeaver Portal, versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, contiene una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) que permite a un atacante no autenticado dise\u00f1ar una URL maliciosa que cuando un usuario hace clic en \u00e9l puede hacer cualquier tipo de petici\u00f3n (por ejemplo, POST, GET) a cualquier servidor interno o externo. Esto puede resultar en el acceso o la modificaci\u00f3n de los datos accesibles desde el Portal, pero no afectar\u00e1 a su disponibilidad"}], "id": "CVE-2021-33705", "lastModified": "2024-11-21T06:09:24.677", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "cna@sap.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-15T19:15:09.813", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html"}, {"source": "cna@sap.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Jan/72"}, {"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/3074844"}, {"source": "cna@sap.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Jan/72"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/3074844"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@sap.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}